---
title: Bypassing antivirus
section: "Finishing our malware"
course: code_malware
layout: lesson
---

Before we can finish this course, we need to see how we can bypass some
antivirus by using some manual obfuscation techniques. What we are going to
need, is an already compiled version of our malware and a hex editor (I'll be
using wxHexEditor). In this lesson we will talk about two different techniques:

- The hex manipulation technique
- The comments technique

## Hex manipulation techniques

For this technique we wil need a hex editor (it could be anyone as it will be
the same independently of its editor).

With our hex editor, we will open our malware "_.exe_" file. If you are using
wxHexEditor too, a window like the following shall open:

![Hex editor](/img/courses/code_malware/hexeditor.png)

Every hex editor will _usually_ be splitten into two sections, the hex value,
and a string-like value of the entered file. You can see the HEX values at the
left and the string values at the right.

As you can see, at the beginning of our program there's a "_This program cannot
be run in DOS mode._" string, it is added in every windows program, and that's
tthe first thing we are going to change. But first... What are we doing and...
Why?.

Even if we change the source code slightly that could help us to avoid the
shasum of some antivirus vendors, which could also help us. Any change you make
to your program whether if it is simply adding a new "_else/if_" statement,
comments or changing the binary value of the program as we will do it soon, all
of those things will help you to bypass some antivirus. For example, let's
suppose you followed every lesson until this point and you probably made the
exact same program as shown here, you compiled it and therefore, you, and every
person who created a person by using this same source code will have equal
binary value. But if you change simply one single byte, it will make the program
completely different than yours and mine, so that program probably won't get
caught by some antivirus. Note that you can't change every single byte inside of
this hex editor, because modifying bytes that shouldn't be modified, will break
your program and make it not runnable. So you can only change string values,
such as "_This program cannot be run in DOS mode_". To modify any value, click
it and type the new value that will overwrite the focused one, keep in mind that
if you are modifying this string, you could only do it until the "_e_" ("_DOS
mod**e**_").

**Note:** If you modified a byte that shouldn't be modified or simply want to
undo something, you can press **CTRL+Z**.

These are the strings I modified:

![The hexadecimal bytes I modified](/img/courses/code_malware/hexmodified.png)

## The comments technique

Another way to bypassing antivirus, is as easy as going to your **Backdoor.c**
file and add random comments anywhere. It doesn't need to mean something,
contain any information, it simply needs to modify the size (and therefore the
shasum) of your malware. When you do that, simply compile your program again
with all of those comments, and it could help you to avoid some antivirus. For
example:

![The comment technique](/img/courses/code_malware/comments.png)
